With this it will be convenient to discuss the following:
Government amendments 63 to 68.
Amendment 154, in clause183,page106,line24,at end insert—
“(4A) In accordance with Article 80(2) of the GDPR, a person who satisfies the conditions in Article 80(1) and who considers that the rights of a data subject under the GDPR have been infringed as a result of data processing, may bring proceedings, on behalf of the data subject and independently of the data subject’s mandate—
(a) pursuant to Article 77 (right to lodge a complaint with a supervisory authority),
(b) to exercise the rights referred to in Article 78 (right to an effective judicial remedy against a supervisory authority),
(c) to exercise the rights referred to in Article 79 (right to an effective judicial remedy against a controller or processor).
(4B) An individual who considers that rights under the GDPR, this Act or any other enactment relating to data protection have been infringed in respect of a class of individuals of which he or she forms part may bring proceedings in respect of the infringement as a representative of the class (independently of the mandate of other members of the class), and—
(a) for the purposes of this subsection ‘proceedings’ includes proceedings for damages, and any damages recovered are to be distributed or otherwise applied as directed by the court,
(b) in the case of a class consisting of or including children under the age of 18, an individual may bring proceedings as a representative of the class whether or not the individual’s own rights have been infringed,
(c) the court in which proceedings are brought may direct that the individual may not act as a representative, or may act as a representative only to a specified extent, for a specified purpose or subject to specified conditions,
(d) a direction under paragraph (c) may (subject to any provision of rules of court relating to proceedings under this subsection) be made on the application of a party or a member of the class, or of the court’s own motion, and
(e) subject to any direction of the court, a judgment or order given in proceedings in which a party is acting as a representative under this subsection is binding on all individuals represented in the proceedings, but may only be enforced by or against a person who is not a party to the proceedings with the permission of the court.
(4C) Subsections (4A) and (4B)—
(a) apply in respect of infringements occurring (or alleged to have occurred) whether before or after the commencement of this section,
(b) apply to proceedings begun before the commencement of this section as if references in subsections (4A) and (4B) to bringing proceedings included a reference to continuing proceedings, and
(c) are without prejudice to the generality of any other enactment or rule of law which permits the bringing of representative proceedings.”
This amendment would create a collective redress mechanism whereby a not-for-profit body, organisation or association can represent multiple individuals for infringement of their rights under the General Data Protection Regulation.
Amendment 155, in clause205,page120,line38,at end insert—
“(ca) section 183 (4A) to (4C);”
This amendment would create a collective redress mechanism whereby a not-for-profit body, organisation or association can represent multiple individuals for infringement of their rights under the General Data Protection Regulation.
Government amendments 73 and 74.

Liam Byrne: I will speak to amendments 154 and 155, which are in my name and those of my hon. Friends. The broad point I want to start with is a philosophical point about rights. If rights are to be real, two things need to be in place: first, a level of transparency so that we can see whether those rights are being honoured or breached; and, secondly, an efficient form of redress. If we do not have transparency and an effective, efficient and open means of redress, the rights are not real, so they are theoretical.
We think there are some unique circumstances in the field of data protection that require a slightly different approach from the one that the Government have proposed. The Government have basically proposed an opt-in approach with a review. We propose an opt-out approach. We think that the argument is clear cut, so we do not see why the Government have chosen to implement something of a half-measure.
The Bill gives us the opportunity to put in place an effective, efficient and world-leading form of redress to ensure that data protection rights are not breached. The reality is that large-scale data breaches are now part and parcel of life. They affect not only the private sector but the private sector, which is partnering with Government. We have seen a number of data breaches among Government partners where financial information has been leaked. The reality is that data protection breaches around the world are growing in number and size.
What is particularly egregious is that many private sector companies admit to the scale of a data breach only many years after the offence has taken place. Yahoo! is a case in point. It had one of the biggest data breaches so far known, but it took many months before the truth came out. That has been true of Government partners, too. Sometimes a lesser offence is admitted to. There is muttering about a particular problem and then, as the truth unfolds, we hear that a massive data breach has taken place. The reality is that these firms are by and large going unpunished. Although the Bill proposes some new remedies of a significant scale, unless those remedies can be sought by ordinary citizens in a court, they frankly are not worth the paper they are printed on.
To underline that point, I remind the Committee that often we look to the Information Commissioner to take the lead in prosecuting these offences. My hon. Friend the Member for Bristol North West was right to celebrate the strength of our current Information Commissioner, but the Government have not blessed the Information Commissioner with unlimited resources, and that will not change in the foreseeable future. What that means is that in the last year for which we have information—2016-17—the Information Commissioner issued only 16 civil monetary penalties for data breaches. That is a  very small number. We think we need a regime that allows citizens to bring actions in court. That would multiply the power of the Information Commissioner.
Article 80 of the GDPR addresses that problem in a couple of ways, and the Minister has alluded to them. Article 81 basically allows group or class actions to be taken, and article 82 says that the national law can allow representative bodies to bring proceedings. The challenge with the way in which the Government propose to activate that power is that the organisation bringing the class action must seek a positive authorisation and people must opt in. The risk is that that will create a burden so large that many organisations will simply not step up to the task.
A world-leading charity and consumer rights organisation such as Which?, for example, would have a board of trustees to which it would be accountable. It would have to satisfy the trustees that it was not about to embark on something very difficult and expensive. I think most trustees would regard bringing a class action against Google, Facebook, Apple or Microsoft as a reasonably high risk action. If they then have to get a positive opt-in from a large number of people, like the 100,000 affected by the Morrisons data breach, it simply will not happen.
The mechanism that the Government propose breaks down in two particular ways in the real world. First, it takes no account of the gigantic asymmetry between the fearsome five data giants, or indeed many of the other large organisations that control tons and tons of our data, and the humble individual. I mentioned earlier in our proceedings that the big five data giants have a combined market capitalisation of $2.4 trillion. They have billions and billions in cash sitting on their balance sheets. Their legal power is practically unlimited and certainly unprecedented. The role of the plucky organisation being empowered by the Bill to bring a class action is, I am afraid, under some pressure. There is a gigantic inequality of legal arms.
The second reality on which the Government’s argument founders is the fact that data breaches, by their very nature, involve data being leaked about tens and tens of thousands of people. The idea that a small charity or a small representative body can round up positive authorisation from tens of thousands of people who have had their rights violated in order to then take Facebook, Google, Apple, Microsoft, Morrisons or Experian to court is laughable. I therefore ask the Government to reflect again on the unique asymmetry that such legal cases confront, and on the evidence of organisations such as Which?, which have had to try to bring cases such as that of Lloyd against Google. That evidence tells us loud and clear that a regime that requires opt-in will simply not work in practice. Our amendment would switch the emphasis. It would allow representative bodies to bring cases, allow people to opt out of cases and allow a collective opt-out.
The reason why the regime that we propose is much better than the one that Ministers proposed is to do with the protection of children’s data rights, which we all want to emphasise. I do not think any of us here is such a fantasist that we imagine that groups of children will take Facebook to court because it might have leaked their data somewhere. We will therefore rely on  representative organisations to bring class actions on behalf of children. How on earth will Which? round up thousands of the nation’s children to secure their positive opt-in to a class action, which it is in the national interest to bring? That would be completely impossible. The measures that the Government propose are not only weak for adults but completely ineffective for children.
The Government’s proposals will allow for a reversal of the regime once we have taken into account the way the world works. Let us think about what that involves, though: allowing the system to fail before getting round to fixing it. The idea is that we introduce a regime knowing that it will not work, and watch the wholesale abuse and breach of people’s data rights. We then reflect on the reality that it is impossible for those people to secure justice under the regime that the Government have proposed. Then we decide that we will have a review, which will take a few months. Then Ministers will have to take a decision, and they will probably bring some proposals back to the House. At some point in the 2020s —perhaps the late 2020s—we may get round to having an effective regime to protect people’s data rights.
This is one of the defining questions on the Bill—the Government’s attitude to the amendments will define whether they are taking the defence of data rights seriously. We now know enough, from cases such as Lloyd against Google, about what works and does not work. The way the Which? trustees had to reflect on class actions brought against companies such as Google tells us enough about how the regime needs to operate.
If the Government are serious about taking on the double asymmetry—the asymmetry between the humble individual and the gigantic tech giants, and that between a single case and thousands of people having their data breached—they will accept the amendments. They were drawn up and tested very carefully. We sought expert legal counsel to get them right. We are grateful to the House for the fact that they have been framed nice clearly. I urge Ministers not to fail this basic test of judgment as to whether they are serious about protecting our data rights, and to accept the amendments.

Darren Jones: I promise not to speak at every opportunity today, Mr Streeter; I am conscious that it is a Thursday and that Members have constituencies to get to, but on this point I will just add my support to the amendment tabled by my right hon. Friend the Member for Birmingham, Hodge Hill.
The Bill puts us in a position that we should not have been in in the first place. The Government’s original view was that they were not going to implement article 80 of the GDPR; they have now gone one step in that direction, and I support the aim that we go the whole hog.
I recognise from my work previous to being an MP that a lot of tech companies are not evil; they want to do the right thing and go about being successful as businesses. It was partly my job in the past to look at these areas of law on behalf of companies, and to work with campaigning groups, regulators and others. It was about being an internal voice to make sure that there was the correct balance within businesses was correct between considering consumers and being pro-business. This amendment would help to facilitate that conversation, because if bodies such as Which? that are private enforcers on behalf of consumers had these legal rights, then of course there would be an obligation on businesses to have ongoing dialogue and relationships. They would have to make sure that consumers’ concerns were at the forefront and that they were doing things in the right way.
The balance to be struck is really important. The Information Commissioner’s Office, for example, has lost quite a lot of staff to other companies recently. The Minister’s Department had to increase the salary bands for ICO staff to try to keep them there. In other sectors of the regulated economy, having private enforcers on behalf of consumers as a collective group works perfectly well for existing regulators.
In the telecommunications sector, in which I have worked in the past, there is Ofcom, which regulates the telecom sector, but there is also Which?, working as a private enforcer under the Consumer Rights Act 2015, which can act on behalf of consumers as a group. That works perfectly well and as my right hon. Friend said, private enforcers will not just start bringing these super-complaints every week, because the risk would be too high. They will only bring these super-complaints when they have failed in their dialogue and have no choice.
Under the Consumer Rights Act 2015, where this mechanism exists today, we do not have endless vexatious super-complaints. There are actually some very effective super-complaints that work well in the interests of consumers, however. Some of the data breaches have involved groups as big as tens of millions of people.
I know from my own experience in other parts of law that we cannot always identify the individual involved. Sometimes they have moved on, or their contact details have changed, and we physically cannot get compensation to them. Under the Consumer Rights Act, again with the mechanism that came from European law—it is a principle that has been copied across from the GDPR—compensation can be given to others on behalf of consumers as a group. It is given to consumer charities or consumer regulators to help facilitate their work. We ought to be alive to that possibility in data protection law.
That mechanism is normal and widely used at European Union law level to balance power between consumers and businesses. We have adopted it into UK law, as the  Minister will know from her previous role as the Minister responsible for consumer law and small business. I do not see why we cannot use it now, so I support the amendment. It simply says, let us get on with it instead of waiting to see whether it works, because we know that it works perfectly well today in other areas of law.

Before I call the Minister to respond, it might help the Committee to know that, although we are properly debating Opposition amendments 154 and 155 at the moment, if they are to be put to a Division, that cannot happen until we reach clause 183. However, that does not prevent the Minister from indicating she might accept them at this stage. That is entirely up to her.

As I said, we will deal with the Opposition amendments later in our proceedings.

I think the amendments are to clause 27 of the Bill.

That is the next clause.

With this it will be convenient to discuss the following:
Amendment 162, in clause27,page17,line5,at end insert—
“(1A) The decision to issue the certificate must be—
(a) approved by a Judicial Commissioner,
(b) laid before Parliament,
(c) published and publicly accessible on the Information Commissioner’s Office website.
(1B) In deciding whether to approve an application under subsection (1), a Judicial Commissioner must review the Minister’s conclusions as to the following matters—
(a) whether the certificate is necessary on relevant grounds,
(b) whether the conduct that would be authorised by the certificate is proportionate to what it sought to be achieved by that conduct, and
(c) whether it is necessary and proportionate to exempt all provisions specified in the certificate.”
This amendment would ensure that oversight and safeguarding in the application for a National Security Certificate are effective, requiring sufficient detail in the application process.
Amendment 163, in clause27,page17,leave out lines 6 to 8 and insert—
“(2) An application for a certificate under subsection (1)—
(a) must identify the personal data to which it applies by means of a detailed description, and”.
This amendment would require a National Security Certificate to identify the personal data to which the Certificate applies by means of a detailed description.
Amendment 164, in clause27,page17,line9,leave out subsection (2)(b).
This amendment would ensure that a National Security Certificate cannot be expressed to have prospective effect.
Amendment 165, in clause27,page17,line9,at end insert—
“(c) must specify each provision of this Act which it seeks to exempt, and
(d) must provide a justification for both (a) and (b).”
This amendment would ensure effective oversight of exemptions of this Act from the application for a National Security Certificate.
Amendment 166, in clause27,page17,line10,leave out “directly” and insert
“who believes they are directly or indirectly”
This amendment would broaden the application of subsection (3) so that any person who believes they are directly affected by a National Security Certificate may appeal to the Tribunal against the Certificate.
Amendment 167, in clause27,page17,line12,leave out
“, applying the principles applied by a court on an application for judicial review,”
This amendment removes the application to the appeal against a National Security Certificate of the principles applied by a court on an application for judicial review.
Amendment 168, in clause27,page17,line13,leave out
“the Minister did not have reasonable grounds for issuing”
and insert
“it was not necessary or proportionate to issue”.
These amendments would reflect that the Minister would not be the only authority involved in the process of applying for a National Security Certificate.
Amendment 169, in clause27,page17,line16,at end insert—
“(4A) Where a Judicial Commissioner refuses to approve a Minister’s application for a certificate under this Chapter, the Judicial Commissioner must give the Minister of the Crown reasons in writing for the refusal.
(4B) Where a Judicial Commissioner refuses to approve a Minister’s application for a certificate under this Chapter, the Minister may apply to the Information Commissioner for a review of the decision.
(4C) It is not permissible for exemptions to be specified in relation to—
(a) Chapter II of the applied GDPR (principles)—
(i) Article 5 (lawful, fair and transparent processing),
(ii) Article 6 (lawfulness of processing),
(iii) Article 9 (processing of special categories of personal data),
(b) Chapter IV of the applied GDPR—
(i) GDPR Articles 24 – 32 inclusive,
(ii) GDPR Articles 35 – 43 inclusive,
(c) Chapter VIII of the applied GDPR (remedies, liabilities and penalties)—
(i) GDPR Article 83 (general conditions for imposing administrative fines),
(ii) GDPR Article 84 (penalties),
(d) Part 5 of this Act, or
(e) Part 7 of this Act.”
This amendment would require a Judicial Commissioner to intimate in writing to the Minister reasons for refusing the Minister’s application for a National Security Certificate and allows the Minister to apply for a review by the Information Commissioner of such a refusal.

I will call the Minister to respond, but before she responds to that point, she wishes to correct the record in relation to a previous point, which I am happy to permit.

And now the response to amendment 161.

It is up to the Committee what time we adjourn for lunch, of course, and the Minister may wish to speak quite rapidly.